A Small Visual Guide to the Senate Crypto Bill
Some of the Senate members are trying to promote a bill that is in response to the Apple vs FBI drama that is going about. Yet this bill is so broad that no one can truly predict the implications that it could have.
If you are curious, like I am, we can read the draft version of the bill. There is even a nice summary on Wired. I know that we have all used one security product or another, so you will most likely realize that it would make all encryption illegal.
A good example of all of this is a product such as a hard-drive with built in encryption is covered in the bill since Seagate provides this for data storage. Upon recieving a court order, Seagate would be required to provide the data on that drive by making me intelligible. This means it would never actually be encrypted, or they would be required -- mainly by law, if this passes -- to have the ability to decrypt it when requested.
The following graphic is to help provide an illustration the path by which all secure communications and storage needs to have a backdoor.
The overall idea is that any feature, service, or product that is created by or provided by a covered entity -- this means a device manufacturer, software manufacturer, remote computing service, communication service, or product or method for storing data -- who gets a court order is required to be made intelligible -- either never encrypted or if it is encrypted it must be decrypted -- and provided to the government.
The law does not seem to prevent users from using crypto directly after a product is purchased, but of course most users won’t. The issue isn’t strong crypto, it’s easy crypto.
Does this Affect Source Codes Also?
A quite amusing aspect of the bill is that it just doesn't cover encryption. It also includes data that has been either encoded, modulated, or obfuscated.
This process of turning human-readable source code into something that computers are able to understand often requires encoding it into a binary format. Also, one of the definitions of data includes the following:
Information stored on a device designed by a software manufacturer.
This would certainly seem to include the programs stored on that device. Does this require each and every developers to provide a source code also?
During the FBI vs. Apple drama, the FBI’s had a specifically got a warrant for a very specific phone. Their request was for Apple to modify their operating system's source code to remove certain security features from each and every phone (in theory). The FBI could of actually removed those features themselves, but they would more or less need Apple’s source code to make these dramatic changes. They would also needed the signing key, but let’s leave aside the whole idea of the signing key for now.
My understanding of this law would give the FBI a new power to request the operating system's source code under the scope of a warrant to search a specific phone. Then they would never need a search warrant issued against Apple in the first place.
Now I am debating the question of what about obfuscation? This means that they can make the code of your application confusing so that hackers cannot reverse engineer it to find out about the vulnerabilities. So does this require software companies to also turn over the source code of the obfuscated programs?
If you think about it, if the government does not want to write a Base64 decoder for your communications protocol can they can require you to write one for them?
There is some shockingly bad implications of this bill are most likely more unintentional than anything else. It’s very likely that these -- sometimes ignorant or just plain stupid -- Senate members simply don’t realize that the technologies to make data unintelligible to anyone, including the government, are 1) The cornerstone of cybersecurity as we know it, and 2) already widely available, and have been for many years.